renderer: avoid out of bound sampler array access

Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

renderer: avoid out of bound sampler array access
Fix found thanks to american fuzzy lop. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
18e4808c · Marc-André Lureau · Dave Airlie · 775f5ed6 · 18e4808c
Commit 18e4808c authored Jan 19, 2016 by Marc-André Lureau Committed by Dave Airlie Feb 10, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

src/vrend_renderer.c src/vrend_renderer.c +6 -0

No files found.
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -3412,6 +3412,12 @@ void vrend_bind_sampler_states(struct vrend_context *ctx,
      return;
   }

+   if (num_states > PIPE_MAX_SAMPLERS ||
+       start_slot > (PIPE_MAX_SAMPLERS - num_states)) {
+      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER, num_states);
+      return;
+   }
+
   ctx->sub->num_sampler_states[shader_type] = num_states;

   for (i = 0; i < num_states; i++) {